Jobe security question

Re: Jobe security question

by Tim Hunt -
Number of replies: 0
In a web site facing the internet, you don't want to make all in information in phpinfo availabe to casual browsers, because it gives attackers useful clues, e.g. if you are running a version of a library with known vulnerabilies.

However, you should not think of the Jobe server as part of a public web site. As Richard says, it should be firewalled so that the only ways into it are API calls (HTTP) from the moodle server, and direct access (SSH) for server admins. And it probalby should not be allowed to make any outgoing requests at all, except perhpas HTTPS fetches from github, when you want to update the JOBE code.

Therefore, this is not a server on the public internet. This is a resource available to your computing students, where they can execute their code to test it. So you need to think about it like that. If you are a student who has been given access to a computer with PHP on it as a place to do your programming exercises, then it is quite reasonable for you to know the details of the PHP install, and PHPinfo is the easiest way to get that. (Indeed, learning to understand what is on the PHPinfo page is probably an important thing for you to learn as a student of PHP.)